By Geary Sikich.
Many aspects of risk management are deeply rooted in mathematical formulae for determining probability. This heavy dependence on mathematics to determine probability of risk realization may create ‘false positives’ regarding a risk that can be either positive or negative. There is also a limitation on how much data can be gathered and assessed in respect to the development of the probability equation regarding the risk being assessed.
A simple definition of uncertainty is ‘the quality or state of being uncertain; something that is doubtful or unknown’: this requires us to know what uncertain is. A simple definition of uncertain is ‘not exactly known or decided, not definite or fixed’: not definitely known should lead us to a recognition that calculating the probability of uncertainty is, if not impossible, surely extremely difficult and time consuming.
When we identify a risk we immediately attempt to quantify it in terms of probability of occurrence (realization). Probability is the chance that something will happen; a logical relation between statements such that evidence confirming one confirms the other to some degree. Probability is often affected by biases of the observer, leading, again, to potential false positives regarding the risk being assessed. Hence, one has to consider Heisenberg’s ‘Uncertainty Principle’ which generally is stated as: “any of a variety of mathematical inequalities asserting a fundamental limit to the precision with which certain pairs of physical properties of a particle, known as complementary variables, such as position x and momentum p, can be known”. First introduced in 1927 by the German physicist Werner Heisenberg, the Uncertainty Principle states that the more precisely the position of some particle is determined, the less precisely its momentum can be known, and vice versa.
Uncertainty: exploring risk
Risk is all about uncertainty. There is uncertainty associated with identification, recognition, mitigation, establishing and maintaining risk parity, etc. There is a negative and a positive side of risk; or to be clearer, there are negatives and positives that represent multi-dimensional aspects of risk. Where does potential, unrecognized, value reside? Where are the negative pitfalls that lurk in the false positives created by risk compliance? Viewing risk through a multi-dimensional lens can facilitate the identification and management of risk. Think of risk in terms of a kaleidoscope: when viewed, a simple twist can change the entire picture, perspectives and analyses.
"If you want an answer today you ask a machine," says Kevin Kelly, author of ‘The Inevitable’. The following figure, entitled, ‘Expansion of Ignorance’ depicts the quandary that we have with uncertainty. What Kevin Kelly refers to as ‘ignorance’. In effect it is not ignorance per se, rather it is the uncertainty created by having an answer and realizing that you have created more questions as a result.
Kelly goes on with the following statement: "Ignorance is opportunity, ignorance is often profit; ignorance is where we're going to live in this world of much more uncertainty."
Flying behind the plane: risk management today
Fundamental uncertainties derive from our fragmentary understanding of risk and complex system dynamics, and abundant stochastic variation in risk parameters. Uncertainty is not just a single dimension, but also surrounds the potential impacts of forces such as globalization and decentralization, effects of movements of global markets and trade regimes, and the effectiveness and utility of risk identification and control measures such as buffering, use of incentives, or strict regulatory approaches.
Such uncertainty underpins the arguments both of those exploiting risk, who demand evidence that exploitation causes harm before accepting limitations, and those avoiding risk, who seek to limit risk realization in the absence of clear indications of sustainability. Hence, probability, while providing some useful indicators, is not a good predictor of risk realization. There is just too much complexity and unknowns to accurately predict the probability of risk occurring at any given time. With the complexity of business and government today; and the heavy dependence on information systems and automation, determining probabilities become less useful due to the acceleration effects created by uncertainty. For example, ask the question: “Who owns cyber risk?”; you will get any number of answers depending on the perspective of the individuals being asked the question.
At a recent conference on disaster management that I participated in the following equation was offered by one of the speakers:
Threat x Vulnerability x Impact = Risk
I would argue that this equation provides the illusion of risk, not the reality of risk. For example, you conduct a risk assessment and determine that there is a threat (i.e., possibility of terrorist attack using a scale of 1 – 10 with 1 being not likely and 10 being extremely likely). Now you have to determine how vulnerable you are to this threat (i.e., say on a scale of 1 – 10 with 1 being not vulnerable and 10 being extremely vulnerable). Next, you determine the impact, again using the scale of 1 – 10 with 1 being no effect and 10 being extreme effect. You calculate according to the above equation and come up with a number. Now you begin to seek to determine the probability. You establish the probability using a scale of say on a scale of 1 – 10 with 1 being not probable and 10 being extremely probable. The result is a risk ranking. However, this process does not take into account observer bias or uncertainty. Uncertainty actually would carry more weight that observer bias simply because of all the unknowns that uncertainty presents. So, one may wish to re-write the equation as follows:
Threat x Vulnerability x Impact = Risk (current state)
Since the risk that we have identified is not static, uncertainty becomes more of a factor over time than probability, threat, vulnerability and impact. Over time the risk will change, especially due to the fact of uncertainty, non-static nature, potential unintended consequences, etc. Therefore the scale for uncertainty could be a positive or a negative number that extends to infinity. Risk assessment based on probability of occurrence is, in itself, a risky decision.
The need for risk parity
Risk parity is a balancing of resources to a risk. You identify a risk and then balance the resources you allocate to buffer against the risk being realized (that is occurring). This is done for all risks that you identify and is a constant process of allocation of resources to buffer the risk based on the expectation of risk occurring and the velocity, impact and ability to sustain resilience against the risk realization. You would apply this and then constantly assess to determine what resources need to be shifted to address the risk. This can be a short term or long term effort. The main point is that achieving risk parity is a balancing of resources based on assessment of risk realization.
Risk parity is not static; as risk is not static. When I say risk is not static, I mean that when you identify a risk and take action to mitigate that risk, the risk changes with regard to your action. The risk may increase or decrease, but it changes due to the action taken. You essentially create a new form of risk that you have to assess with regard to your action to mitigate the original risk. This can become quite complex as others also will be altering the state of the risk by taking actions to buffer the risk. The network that your organization operates in reacts to actions taken to address risk (i.e., value chain - customers, suppliers, etc.) all are reacting and this results in a non-static risk.
A good example would be the purchase of, say 100 shares of a stock. You have a risk that the stock will decline in value (downside risk); you might decide to sell a call option to offset the downside risk or place a stop loss order to minimize your loss. In essence you have changed the risk (non-static). The call option also creates a new risk; that is the risk that you may have the stock called away if it breaks the strike price. This will limit your profit on the stock (upside risk). In any event you have altered the risk and it has become non-static due to your actions and/or the actions of others within your network and external to your network. This gets us to non-aligned risk which is a risk that is influenced by nonlinear reaction.
I think that ‘relevance’ is a very significant word relative to key risk indicators (KRIs). You can have an extensive list but if they are not relevant to the organization and its operations they do little to enhance the risk management efforts. That said, we have to assess non-linearity and opacity with regard to the potential obfuscation of ‘relevance’.
Traditional approaches to business continuity, disaster recovery, crisis management, emergency response and concepts such as incident command, National Incident Management System, etc. are faced with new ground so to speak, as traditional approaches may not be as effective in dealing with the risk realities faced today. Uncertainty is the nature of risk, hence the projection of risk in terms of probability of occurrence can only provide limited value for a short period of time. In addition, much of our planning is reactionary, driven by media hype, high profile events that have a limited lifespan (i.e., Ebola crisis and subsequent surge in planning and uncertainty). We also need to get away from purely tactical planning, that is, reacting to the last event. Threat dynamics are changing resulting in more uncertainty not less; this requires a planning approach that integrates, tactical, operational and strategic planning, combining continuity, emergency, crisis, disaster and contingency planning into an integrated process.
In order for any organization to succeed in today’s fast paced, globally interlinked business environment the ability to identify and assess risk and to reduce uncertainty risk needs to be addressed. When you take management (leadership & decision-making), planning, operations, logistics, communications, finance, administration, infrastructure (internal & external), reputation, external relations and other dependency issues into account there is significant impact on six areas that I consider critical for organizations: strategy (goals & objectives), concept of operations, organizational structure, resource management, core competencies and pragmatic leadership (at all levels with a common understanding of terminology).
We live in a world full of consequences. Our decisions need to be made with the most information available with the recognition that all decisions carry with them flaws due to our inability know everything; uncertainty. Our focus should be on how our flawed decisions establish a context for flawed risk, threat, hazard, vulnerability (RTHV) assessments, leading to flawed plans, resulting in flawed abilities to execute effectively. If we change our thought processes from chasing symptoms and ignoring consequences to recognizing the limitations of decision making under uncertainty we may find that the decisions we are making have more upside than downside.
Geary Sikich – Entrepreneur, consultant, author and business lecturer
Geary Sikich is a seasoned risk management professional who advises private and public sector executives to develop risk buffering strategies to protect their asset base. With a M.Ed. in Counseling and Guidance, Geary's focus is human capital: what people think, who they are, what they need and how they communicate. With over 25 years in management consulting as a trusted advisor, crisis manager, senior executive and educator, Geary brings unprecedented value to clients worldwide.
Geary is well-versed in contingency planning, risk management, human resource development, ‘war gaming’, as well as competitive intelligence, issues analysis, global strategy and identification of transparent vulnerabilities. Geary began his career as an officer in the US Army after completing his BS in Criminology. A well-known author, his books and articles are readily available on Amazon, Barnes & Noble and the Internet.
- Apgar, David, Risk Intelligence – Learning to Manage What We Don’t Know, Harvard Business School Press, 2006.
- Jones, Milo and Silberzahn, Philippe, Constructing Cassandra: Reframing Intelligence Failure at the CIA, 1947–2001, Stanford Security Studies (August 21, 2013) ISBN-10: 0804785805, ISBN-13: 978-0804785808
- Heisenberg, Werner; “Uncertainty Principle” 1927 (Wikipedia)
- Kami, Michael J., “Trigger Points: how to make decisions three times faster,” 1988, McGraw-Hill, ISBN 0-07-033219-3
- Kelly, Kevin, author of "The Inevitable," on the next 30 digital years at the Long Now Foundation. http://f4a.tv/2aF8g6T https://youtu.be/tvR5zZQgtGo
- Sikich, Geary W., Graceful Degradation and Agile Restoration Synopsis, Disaster Resource Guide, 2002
- Sikich, Geary W., "Integrated Business Continuity: Maintaining Resilience in Times of Uncertainty," PennWell Publishing, 2003
- Sikich, Geary W., "Risk and Compliance: Are you driving the car while looking in the rearview mirror?” 2013
- Sikich, Geary W., "“Transparent Vulnerabilities” How we overlook the obvious, because it is too clear that it is there” 2008
- Sikich, Geary W., "Risk and the Limitations of Knowledge” 2014
- Sikich, Geary W., “Complexity: The Wager – Analysis or Intuition?” 2015
- Sikich, Geary W., Remme, Joop “Unintended Consequences of Risk Reporting” 2016, Continuity Central
- Taleb, Nicholas Nassim, “The Black Swan: The Impact of the Highly Improbable,” 2007, Random House – ISBN 978-1-4000-6351-2, 2nd Edition 2010, Random House – ISBN 978-0-8129-7381-5
Copyright© Geary W. Sikich 2016. World rights reserved. Published with permission of the author.